Solved

Active Directory (Netdiag) failed test KnowsOfRoleHolders

Posted on 2007-04-03
5
4,986 Views
Last Modified: 2008-06-21
I have a Windows 2003 network, with a mix of windows 2000 and windows 2003 DCs, one domain, each dept had their own local DC, all servers have the latest service packs installed.

Recently I added tree new DCs, when I run the netdiags on each server, I get this report back:

****************************************************************************************************

DC Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial non skippeable tests
   
   Testing server: Default-First-Site-Name\S-WATER-KP
      Starting test: Connectivity
         ......................... S-WATER-KP passed test Connectivity

Doing primary tests
   
   Testing server: Default-First-Site-Name\S-WATER-KP
      Starting test: Replications
         ......................... S-WATER-KP passed test Replications
      Starting test: NCSecDesc
         ......................... S-WATER-KP passed test NCSecDesc
      Starting test: NetLogons
         ......................... S-WATER-KP passed test NetLogons
      Starting test: Advertising
         ......................... S-WATER-KP passed test Advertising
      Starting test: KnowsOfRoleHolders
         [TOSMAINBAC] DsBind() failed with error 1722,
         The RPC server is unavailable..
         Warning: TOSMAINBAC is the Schema Owner, but is not responding to DS RPC Bind.
         [TOSMAINBAC] LDAP connection failed with error 58,
         The specified server cannot perform the requested operation..
         Warning: TOSMAINBAC is the Schema Owner, but is not responding to LDAP Bind.
         Warning: TOSMAINBAC is the Domain Owner, but is not responding to DS RPC Bind.
         Warning: TOSMAINBAC is the Domain Owner, but is not responding to LDAP Bind.
         Warning: TOSMAINBAC is the PDC Owner, but is not responding to DS RPC Bind.
         Warning: TOSMAINBAC is the PDC Owner, but is not responding to LDAP Bind.
         Warning: TOSMAINBAC is the Rid Owner, but is not responding to DS RPC Bind.
         Warning: TOSMAINBAC is the Rid Owner, but is not responding to LDAP Bind.
         Warning: TOSMAINBAC is the Infrastructure Update Owner, but is not responding to DS RPC Bind.
         Warning: TOSMAINBAC is the Infrastructure Update Owner, but is not responding to LDAP Bind.
         ......................... S-WATER-KP failed test KnowsOfRoleHolders
      Starting test: RidManager
         [S-WATER-KP] DsBindWithCred() failed with error 1722. The RPC server is unavailable.
         ......................... S-WATER-KP failed test RidManager
      Starting test: MachineAccount
         ......................... S-WATER-KP passed test MachineAccount
      Starting test: Services
         ......................... S-WATER-KP passed test Services
      Starting test: ObjectsReplicated
         ......................... S-WATER-KP passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... S-WATER-KP passed test frssysvol
      Starting test: kccevent
         ......................... S-WATER-KP passed test kccevent
      Starting test: systemlog
         An Error Event occured.  EventID: 0xC0001F60
            Time Generated: 04/03/2007   12:25:00
            Event String: The browser service has failed to retrieve the

         ......................... S-WATER-KP failed test systemlog
   
   Running enterprise tests on : TOSMAIN.local
      Starting test: Intersite
         ......................... TOSMAIN.local passed test Intersite
      Starting test: FsmoCheck
         Error: The server returned by DsGetDcName() did not match DsListRoles() for the PDC
         ......................... TOSMAIN.local passed test FsmoCheck

*************************************************************************************************

The other DCs on the network come back clean. The TOSMAINBAC server failed with the blue screen of death, I have since replaced this DC, alll other DCs recognize the new DC, except for these 3 DCs. I was unable to demote this failed DC

I would usually just seize the roles, but I am concerned because that all the other DCs see the correct server who now holds the roles.

Secondly, this TOSMAINBAC is still listed in the AD, it will not all me to remove.
0
Comment
Question by:AccessYourBiz_Com
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 38

Expert Comment

by:Shift-3
ID: 18845277
Make sure that all DCs have the correct DNS server IPs selected in their TCP/IP Properties.

Back up the System State on all DCs before changing anything.

Seize all the FSMO roles.
http://support.microsoft.com/kb/255504

Assuming you have a single-domain forest, make all your DCs Global Catalog servers.
http://support.microsoft.com/kb/313994

Manually remove TOSMAINBAC from Active Directory using NTDSUTIL.
http://support.microsoft.com/kb/216498

Remove TOSMAINBAC from Active Directory Sites and Services if it still appears there.
0
 
LVL 3

Author Comment

by:AccessYourBiz_Com
ID: 18845504
Just wanted to double check, all other DCs know the correct role holder, just these three do not, should I go ahead seizing the roles on these DCs?
0
 
LVL 3

Author Comment

by:AccessYourBiz_Com
ID: 18846050
When I run, ntsdutil on the problem server, the select roles, then connections, when I enter the comand "connect to server [servername]", I receive an error message

Binding to [servername]
DSBindW error 0x57(the parameter is incorrect)

if I run the same command (connect to server [servername] on any other controller in the domain, (except the 3 problem servers) the connection is successful.

Thanks
Steve
 
0
 
LVL 38

Accepted Solution

by:
Shift-3 earned 500 total points
ID: 18846068
You may want to run DCDIAG and REPADMIN first to make sure these DCs are replicating correctly.  A replication problem could account for the disparity in FSMO listings.
0
 
LVL 3

Author Comment

by:AccessYourBiz_Com
ID: 18846373
Thanks for your reply, in this case I know they are not replicating correctly, the errors I listed earlier are from the dcdiag program. When using the ntdsutil to connect to the PDC, I tried both the IP and the DNS name with no success.

Thanks
Steve
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question